CVE-2026-49093
Analyzed Analyzed - Analysis Complete
Server-Side Request Forgery in Kibana

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: Elastic

Description
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elastic kibana From 9.3.0 (inc) to 9.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in Kibana. It allows an authenticated user who has connector management privileges to bypass the operator-configured connector allowlist. As a result, the Kibana server can be tricked into making outbound requests to destinations that the egress controls were designed to block.

Impact Analysis

The impact of this vulnerability is that an attacker with certain privileges can cause the Kibana server to send requests to unauthorized external destinations. This could potentially expose internal resources or data to unintended parties or allow attackers to interact with internal services that should be protected by egress controls.

Mitigation Strategies

The immediate mitigation steps include upgrading Kibana to version 9.3.3 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, restrict connector management privileges to trusted users only, to reduce the risk of exploitation.

Additionally, review and tighten the `xpack.actions.allowedHosts` setting to ensure it does not use the default wildcard ["*"] and properly restricts outbound destinations.

Compliance Impact

The provided information does not specify how the Server-Side Request Forgery vulnerability in Kibana directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized outbound requests from the Kibana server to destinations that should be blocked by egress controls.

Since the vulnerability allows an authenticated user with connector management privileges to bypass the configured allowlist, you can look for unusual outbound network traffic originating from Kibana, especially to hosts not included in the `xpack.actions.allowedHosts` setting.

Commands to help detect such activity might include network monitoring tools or firewall logs inspection. For example, on a Linux system, you could use:

  • tcpdump -i <interface> host <kibana_server_ip> and not net <allowed_networks>
  • netstat -anp | grep kibana
  • Review Kibana logs for connector management activity and any outbound request logs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart